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The Data Protection Act 1998 (DPA) is based around eight principles 
of good information handling. These give people specific rights in 
relation to their personal information and place certain obligations 
on those organisations that are responsible for processing it. 


An overview of the main provisions of the DPA can be found in The 
Guide to Data Protection. 


This is part of a series of guidance, which goes into more detail than 
the Guide to data protection, to help you as an organisation to fully 
understand your obligations, as well as promoting good practice. 


This guidance explains the circumstances in which the regulatory 
activity exemption (in section 31 DPA) may be used by data 
controllers to withhold information requested or to be provided 
under the subject information provisions of the DPA. 


Overview 


Section 31 provides an exemption from the subject 
information provisions for the processing of personal data 
in connection with regulatory activities. 


The exemption is not available to all organisations. It 
applies only to information processed for the core 
regulatory activities of appropriate organisations. 


Even where the exemption is to be used by an 
appropriate organisation in relation to information 
processed for core regulatory functions, it may not be 
used in a blanket manner. The exemption applies only to 
the extent that the application of the subject information 
provisions to the information in question would be likely 
to prejudice the proper discharge of the regulatory 
functions. 
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What the DPA says 


Subsection 31(1) outlines the general scope of the exemption: 


Subsection 31(1) 


“Personal data processed for the purposes of 
discharging functions to which this subsection 
applies are exempt from the subject information 


provisions in any case to the extent to which the 
application of those provisions to the data would 
be likely to prejudice the proper discharge of those 
functions”. 


Section 31 applies to the processing of personal data in order to 
carry out various regulatory functions. The exemption applies to the 
provision of information to data subjects to ensure fair processing of 
their personal data’ and the individual’s right of access to his 
personal data’. 


The functions that subsection 31(1) refers to are set out in 
subsections 31(2) to 31(5). The exemption for regulatory activity 
only applies to personal data processed for the purposes of 
discharging these functions. 


Our general approach 


When considering section 31 it is important not to become overly 
concerned with the detailed wording of the section without first 
considering the overall scope of the exemption. You should consider 
both the types of regulatory organisations that are able to use the 
exemption and the types of regulatory functions that are covered. 


Organisations that may rely on section 31 


The exemption is not available to all organisations and only applies 
to the core regulatory activities of bodies which perform appropriate 
public regulatory functions, primarily watchdogs. 


' The first data protection principle to the extent to which it requires compliance with 
aragraph 2 of Part Il of Schedule 1DPA. 
Section 7 DPA. 

Regulatory Activity - Section 31 Data Protection Act 1998 

20120312 

Version: Final 


Regulatory functions 


Subsection 31(2) provides an overview of the types of functions the 
exemption applies to. It only applies to data processed to discharge 
regulatory functions concerning: 


° the protection of members of the public (from dishonesty, 
malpractice, incompetence or seriously improper conduct or in 
connection with health and safety matters); 

° the protection of charities; or 

e fair competition in business. 


Subsection 31(3) clarifies that the functions listed in subsection (2) 
are limited to: 


(a) functions conferred on any person by or under any 
enactment; 

(b) any function of the Crown, a Minister of the Crown or a 
government department; or 

(c) any other function which is of a public nature and is exercised 
in the public interest. 


The scope of paragraph (c) of subsection (3) has created difficulty. 
The paragraph is concerned with functions of a public nature 
exercised by a variety of watchdogs whose regulatory role is 
recognised by both the general public and the sector that they 
oversee. Such regulators may be established by statute or as a 
result of formal agreement of the participants in their sector of 
business. 


Example 

The primary function of many public, and some private, 
bodies is to investigate complaints about the services or 
treatment received by members of the public. 


Ombudsmen are tasked with investigating complaints 
from the public in a variety of fields. 


Regulators such as the Financial Services Authority, the 
Independent Police Complaints Commission, the Care 
Quality Commission, Advertising Standards Authority 
and the Legal Services Complaints Commissioner are all 
tasked with investigating complaints in their respective 
fields and maintaining standards for the benefit of the 
general public. 
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One of the primary functions of these organisations is to investigate 
complaints about a particular group of service providers. 


It is inappropriate for an organisation to use section 31 to withhold 
information gathered in the course of investigating complaints about 
itself. Subsection 31(3)(c) does not apply to investigatory or 
complaint handling functions (or any other function which may be of 
benefit to the public) which organisations undertake when 
investigating their own activities. 


Most organisations have an internal complaints procedure to 
investigate and report on how the organisation has carried out its 
primary functions. In addition, most organisations will have 
disciplinary procedures for dealing with inappropriate behaviour by 
staff. These procedures are not the primary activity or function of 
the organisation and are therefore not regulatory activities covered 
by section 31. 


Named bodies that may rely on section 31 where appropriate 


Subsection 31(4) lists certain named parties (mainly ombudsmen) 
who may rely on the exemption in respect of personal data 
processed for the purpose of discharging public functions relating to 
maladministration and failure in services provided by public bodies. 


In addition, section 31 has been amended by a number of other 
statutes to extend the scope of the exemption to cover personal 
data processed in accordance with particular legislation. Subsections 
31(4) (a) to (c) concern processing for certain functions under the 
Financial Services and Markets Act 2000, under the Legal Services 
Act 2007 and certain functions of the Legal Services Board. 
Subsection 31(5) concerns processing for certain functions of the 
Office of Fair Trading. These subsections are obviously only relevant 
to the named regulator under the relevant legislation. 


Limitations on the application of the exemption 


Where a body processes personal data for the purposes of carrying 
out a function falling within the scope of section 31 it is important to 
remember that the section does not operate as a blanket exemption 
with the result that no information processed by that body for that 
function need be disclosed. The exemption is expressed as being 
available only: 
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“to the extent to which the application of the [subject 
information provisions] would be /ikely to prejudice the proper 
discharge of [the] functions [to which the section applies]”. 


The prejudice test is not a weak test, and a data controller must be 
able to point to prejudice which is “real, actual or of substance” and 
to show some causal link between the potential disclosure and the 
prejudice. “Likely to prejudice” means that the ‘degree of risk must 
be such that there ‘may very well’ be prejudice to those interests, 
even if the risk falls short of being ‘more probable that not’. There 
should be a ‘very significant and weighty chance of prejudice to the 
identified public interests”. 


Where the disclosure of information in response to a subject access 
request would be unlikely to prejudice the proper discharge of a 
relevant function, such information should be disclosed even though 
it is being processed in connection with a regulatory function falling 
within the scope of section 31. 


Example 
The disclosure of information, which is known to the 
data subject and which the data subject knows is held 


by the data controller, in response to a subject access 
request is unlikely to prejudice the proper discharge of 
public regulatory functions. 


Application to copies of information passed to a regulator 


During an internal investigation into a complaint about itself or its 
staff, an organisation may gather information. If the complaint is 
then referred to a regulator, the organisation may need to pass this 
information on. 


Alternatively, an organisation may come across information that it 
holds in its normal course of business which raises concerns and 
which it decides should be passed on to the appropriate regulator. 


3 See R (on the application of Alan Lord) v Secretary of State for the Home Department 
[2003] EWHC 2073 re. meaning of ‘likely to prejudice’ in the section 29, DPA. 
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Example 

A bank receives a complaint about the service it has 
provided to a customer. It carries out an internal 
investigation into the matter and advises the customer of 
its conclusions. 


The customer is not satisfied and refers his complaint to 
the Financial Services Ombudsman. The Ombudsman 
then asks the bank for details of its internal investigation 
to assist in his investigation of the complaint. The bank 
supplies the Ombudsman with copies of the information it 
has gathered. 


Although an organisation would not normally consider this 
information to fall within the scope of section 31, this exemption 
may become relevant if the information is referred to the regulator, 
or copied to a regulator in order to assist in the performance of its 
formal regulatory functions. If the regulator can withhold personal 
data in response to a subject access request because it is likely to 
prejudice the discharge of its regulatory function the originating 
organisation also will be able to so the same. Failure by the 
originating organisation to withhold data might allow a data subject 
(who would be refused access to the data if he approached the 
regulator) to circumvent the provisions of the DPA by simply 
obtaining the data from the originating organisation instead. It is 
therefore important that organisations are cautious with information 
being used by regulatory bodies to carry out their functions. 
However, an organisation cannot rely on section 31 to withhold 
information on the basis that it might, in the future, be used by the 
regulator. 


Other considerations 


In circumstances where the section 31 exemption does not apply, 
other exemptions (in the DPA or introduced by the subject access 
modification orders) or the rules on third party information may be 
relevant in deciding whether personal data should be disclosed in 
response to a subject access request. 


See the ICO guidance on exemptions for further information about 
the exemptions from the subject information provisions. 
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The ICO guidance Dealing with subject access requests involving 
other people's information provides advice applicable where 
personal data relates to more than one person. 


More information 


This guidance will be reviewed and considered from time to time in 
line with new decisions of the Information Commissioner, Tribunals 
and courts. 


It is a guide to our general recommended approach, although 
individual cases will always be decided on the basis of their 
particular circumstances. 


If you need any more information about this or any other aspect of 
freedom of information or data protection, please Contact us: see 
our website www.ico.org.uk. 
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